DORA Checklist: Governance, ICT Risk Management, and Operational Resilience Requirements

SUPERVISORY CHECKLIST Advice to start DORA GAP analysis Answer options No GAP Advice to convert DORA GAP analysis into actions Partially GAP Advice to start implementation program and adjust relevant (business) processes Yes, established Advice to continuously monitor the adequate functioning of policies and procedures Yes, established and implemented DORA Checklist The Digital Operational Resilience Act (DORA) is a European regulation aimed at enhancing the cyber resilience of financial entities. These entities have until January 17, 2025, to comply with the requirements. This DORA checklist is intended to clarify what policies and procedures are needed to comply with the regulation based on 10 key themes. Note: Due to the scope of DORA, the checklist is not exhaustive. For further clarification on the requirements, we refer to the regulation and the associated RTS and ITS. See the AFM website for more information. Note: For a number of smaller parties, a simplified framework applies for ICT risk management, as explained in Article 16(1) and AFM DORA update 3.

2 SUPERVISORY CHECKLIST Questions Governance (Art. 5) Has the management body established a governance and control framework for the management of ICT risks? This must provide, among other things: clear tasks and responsibilities for ICT functions, such as the design of the ICT risk function; allocation of budget; periodic evaluations and reporting lines; and an internal ICT audit plan. No ICT Risk Management (Art. 6) Have you established a framework for ICT risk management as part of your enterprise-wide risk management system? This must provide, among other things: a risk analysis methodology, risk register (including action plans), and periodic evaluations. ICT Asset Inventory (Art. 8) Do you have an inventory of all information and ICT assets, including all business processes that rely on ICT services from third-party providers? This must be maintained in a register that clearly indicates whether the assets support critical processes. See RTS15 and 16(3) for further clarification. See Section III of RTS15 and 16(3) for further clarification. 1/10 2/10 3/10 No Partially Yes, established Yes, established and implemented Getting Started with DORA: Checklist

3 SUPERVISORY CHECKLIST Questions Information Security Policy (Art. 9) Have you established an ICT security policy that provides for policies and procedures aimed at ensuring the availability, integrity, and security of ICT systems? This must include, among other things, policies and procedures for technical measures, such as: physical and logical access control; management of ICT changes; encryption; network security; and execution of patches and updates. No Partially Yes, established Yes, established and implemented Business Continuity (Art. 11-12) Have you established an ICT business continuity policy (Business Continuity Plan) that provides for a business continuity plan, the execution of business impact analyses, a communication plan, periodic testing, and an overview of events? This must, among other things, be tested using realistic test scenarios that attempt to simulate potential disruptions. Where possible, ICT services from third parties are also included in the testing activities. The test results are documented, deviations are analyzed, followed up on, and reported to management. Backup and Recovery (Art. 12) Do you have backup policies and procedures, including recovery procedures and methodologies? Awareness and Training (Art. 13) Have you developed awareness programs regarding ICT security and training on digital operational resilience as mandatory modules in training programs aligned with the job profiles of employees? See RTS15 and 16(3) for further clarification. See RTS15 and 16(3) for further clarification. See RTS15 and 16(3) for further clarification. 4/10 5/10 6/10 7/10 Getting Started with DORA: Checklist

4 SUPERVISORY CHECKLIST Publications The AFM regularly shares informative updates and other publications in the lead-up to the entry into force of DORA to prepare entities. Questions No Partially Yes, established Yes, established and implemented Digital Resilience Testing Program (Art. 24-27) Have you established a risk-based program for testing digital operational resilience, including policies and procedures for following up on findings? Incident Management (Art. 17-23) Have you established a control process for detecting and handling ICT-related incidents, including the use of an incident register and templates to support the reporting obligation? See RTS18(3), RTS20(a), and ITS20(b) for further clarification. See RTS26(11) for further clarification. ICT Risk Management of Third-Party Providers (Art. 28-30) Do you have policies for controlling ICT services from third-party providers that support critical and/or important business processes? This must provide, among other things: an information register for contracts with third-party ICT service providers, exit plans for critical and/or important functions, and contract templates based on the requirements in the RTS, such as service levels and audit rights. See RTS28(1), RTS30(5), and ITS28(9) for further clarification. 8/10 9/10 10/10 Getting Started with DORA: Checklist